Internal Audit clarification - How to perform the audits

jfriess

Involved In Discussions
I have recently received my pre-request for information for my upcoming transition audit. I am confused by one of the requests. They asked for internal audit results to support every new/changed/ modified clause (which is list on the their form).
We do our "system" audit by auditing each of our main processes (7). We follow a format that looks at many different aspects of the standard are being followed during each process. Ex: inputs, output, training, documentation, corrective action, improvement...

We do not perform our audits in a checklist format ensuring that every single clause of the standard is verified each time.

Am I misunderstanding how to perform the audits or misinterpreting what they are looking for?

Any advice would be appreciated.
 

AndyN

Moved On
I have recently received my pre-request for information for my upcoming transition audit. I am confused by one of the requests. They asked for internal audit results to support every new/changed/ modified clause (which is list on the their form).
We do our "system" audit by auditing each of our main processes (7). We follow a format that looks at many different aspects of the standard are being followed during each process. Ex: inputs, output, training, documentation, corrective action, improvement...

We do not perform our audits in a checklist format ensuring that every single clause of the standard is verified each time.

Am I misunderstanding how to perform the audits or misinterpreting what they are looking for?

Any advice would be appreciated.

Depending on your specific CB/Registrar, they have an underlying objective: They don't want to find a major when they audit. With the 2015 requirements, there are new/changed (modified = changed) requirements which they want YOU to audit to avoid them finding majors.

From what you have described, you may - just for this event - have to adjust your approach (which you should be doing anyways) to address the new/changed.
 

jfriess

Involved In Discussions
That makes sense to avoid Majors. I just thought by performing the Gap Analysis that we did when upgrading, we were checking everything. But it does make sense to double check (which we have just not documented in the audits)

And just to clarify, are you saying we should be doing a checklist approach every internal (system) audit or we should be continuously changing our approach?? This has never been our strongest area and i am just looking for advice on how to strengthen it... We are a small company (50 employees), so we only have 2 auditors.
 

AndyN

Moved On
That makes sense to avoid Majors. I just thought by performing the Gap Analysis that we did when upgrading, we were checking everything. But it does make sense to double check (which we have just not documented in the audits)

And just to clarify, are you saying we should be doing a checklist approach every internal (system) audit or we should be continuously changing our approach?? This has never been our strongest area and i am just looking for advice on how to strengthen it... We are a small company (50 employees), so we only have 2 auditors.

For the most part, a gap analysis is simply an administrative look at the requirements and asking "do we do this?"

What the CB/Registrar wants you to do is audit whatever you implemented as a result of closing the "gaps".

I'm not always certain what people mean by "checklists" since they can vary wildly. If the auditor prepares a "shopping list" of things they want to audit, that's the most effective, in my estimation.. The approach will be different, since the "scope" and "criteria" for each audit will necessitate a different shopping list... Does that make sense?
 

Kronos147

Trusted Information Resource
...We do our "system" audit by auditing each of our main processes (7). We follow a format that looks at many different aspects of the standard are being followed during each process. Ex: inputs, output, training, documentation, corrective action, improvement...

Excellent!

Do you have any document that ties in what requirements apply to those 7 processes? Does it say in the manual, perhaps, that you address 8.2 requirements for products\services with your contract review process?

When the internal auditor did the audit, did they know about the document and how they needed to look to ensure those requirements were being met when they assessed the process?
 
Top Bottom